management-node/.github/workflows/publish-github-release.yml at main · National-Digital-Twin/management-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# SPDX-License-Identifier: Apache-2.0
# © Crown Copyright 2025. This work has been developed by the National Digital Twin Programme and is legally attributed to the Department for Business and Trade (UK) as the governing entity.

# This workflow is triggered when a pull request is merged into the main branch
# from a release/* or hotfix/* branch. It extracts the release version from the source branch,
# generates a Software Bill of Materials (SBOM) using the GitHub API,
# creates a Git tag with the version, and publishes a GitHub release including the SBOM file.

name: Generate SBOM, Tag and Publish GitHub Release

on:
  pull_request:
    types:
      - closed
    branches:
      - main

jobs:
  versioning:
    if: |
      github.event.pull_request.merged == true &&
      (startsWith(github.head_ref, 'release/') || startsWith(github.head_ref, 'hotfix/'))
    permissions:
      contents: read
    name: Extract Release Version
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.extract_version.outputs.VERSION }}
    steps:
      - name: Extract Version from Source Branch Name
        id: extract_version
        env:
          HEAD_REF: ${{ github.head_ref }}
        run: |
          SOURCE_BRANCH="$HEAD_REF"
          VERSION=$(echo "$SOURCE_BRANCH" | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+')

          if [ -z "$VERSION" ]; then
            echo "Error: No semantic release version found in source branch: $SOURCE_BRANCH"
            exit 1
          fi

          echo "VERSION=$VERSION" >> $GITHUB_ENV
          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT

      - name: Validate Version Format (Semantic Versioning)
        env:
          VERSION: ${{ env.VERSION }}
        run: |
          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Error: Invalid version format found. Expected semantic version in release or hotfix branch name (e.g., release/0.9.0 or hotfix/0.9.1)"
            exit 1
          fi

      - name: Print Tag Version
        id: print_tag
        env:
          EXTRACTED_VERSION: ${{ steps.extract_version.outputs.version }}
        run: |
          echo "Identified release semantic version: $EXTRACTED_VERSION"

  generate-sbom:
    permissions:
      contents: read
    name: Generate SPDX SBOM
    runs-on: ubuntu-latest
    needs: [versioning]
    steps:
      - name: Checkout Code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Generate SPDX SBOM
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO: ${{ github.repository }}
        run: |
          # Call GitHub API to generate SBOM
          api_response=$(curl -sSL \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer $GITHUB_TOKEN" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            "$GITHUB_API_URL/repos/$REPO/dependency-graph/sbom")

          # Extract nested "sbom" object into a valid SPDX file
          echo "$api_response" | jq '.sbom' > sbom.spdx.json

      - name: Upload SBOM Artifact
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: sbom
          path: sbom.spdx.json

  create-git-tag:
    permissions:
      contents: write
    name: Create Git Tag
    needs: [versioning, generate-sbom]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Create Git Tag
        uses: rickstaa/action-create-tag@a1c7777fcb2fee4f19b0f283ba888afa11678b72 # v1.7.2
        with:
          tag: "v${{ needs.versioning.outputs.version }}"
          message: "Release v${{ needs.versioning.outputs.version }}"
          force_push_tag: true
          # Tag the HEAD commit from the merged release branch not the merge commit to
          # ensure the tag points to the correct source code state for the release.
          # This ensures that the release tag is also visible on any branch which does
          # not contain the merge commit such as develop.
          commit_sha: ${{ github.event.pull_request.head.sha }}

  create-git-release:
    permissions:
      contents: write
    name: Create GitHub Release
    needs: [versioning, generate-sbom, create-git-tag]
    runs-on: ubuntu-latest
    steps:
      - name: Download SBOM Artifact
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: sbom

      - name: Create GitHub Release
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          tag_name: "v${{ needs.versioning.outputs.version }}"
          name: "Release v${{ needs.versioning.outputs.version }}"
          body: "Automated release for version ${{ needs.versioning.outputs.version }}. For details of fixes, new features and changes in this release, please see [CHANGELOG.md](${{ github.server_url }}/${{ github.repository }}/blob/main/CHANGELOG.md)."
          draft: false
          prerelease: false
          files: |
            sbom.spdx.json